VMware Cloud Foundation 5.1

5.2 5.1 5.0 4.5
Français Italiano 日本語 English

Configure the root User Account Lockout Policy for vCenter Server

Set the maximum number of failed login attempts and the time that must pass before the account is automatically unlocked for the
root
 local account in the vCenter Server appliances in
VMware Cloud Foundation
.
Setting
Default Value
Maximum number of failed login attempts
3
Unlock time for root
300 seconds
Unlock time
900 seconds

UI Procedure

  1. Log in to the vCenter Server appliance using SSH as
    root
    .
  2. Enable shell access.
    shell
  3. Back up the authentication requirements for the appliance using the following command.
    cp -p /etc/security/faillock.conf /etc/security/faillock.conf-`date +%F_%H:%M:%S`.back
  4. Verify that all settings for configuring the account lockout policy for the
    root
    user are added in the
    /etc/security/faillock.conf
     file.
    If some properties are missing in the
    /etc/security/faillock.conf
     file, add them manually.
     dir = /var/log/faillock
audit
silent
deny = 3
unlock_time = 1200
even_deny_root
root_unlock_time = 300
fail_interval = 900
  5. To configure the lockout policy for the root user account, in the
    /etc/security/faillock.conf
     file, set values to the following properties according to the requirements of your organization and save the file.
    Setting
    Property in
    /etc/security/faillock.conf
    Maximum number of failed attempts
    deny
    Unlock time for the root user account
    root_unlock_time
    Unlock time for all local accounts
    unlock_time
  6. Repeat this procedure for each workload domain vCenter Server.

PowerShell Procedure

  1. Start PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$maxFailures = "5"
$rootUnlockInterval = "300"
$unlockInterval = "900"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-VcenterAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -failures $maxFailures -unlockInterval $unlockInterval -rootUnlockInterval $rootUnlockInterval
  4. Repeat this procedure for each workload domain vCenter Server.

Content feedback and comments